From efdb8c60a369cdf4600c747a533c1e60a28a1d9c Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Apr 27 2022 10:24:38 +0000 Subject: Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0 Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0 defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default. However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of security do not meet SECLEVEL=1's requirement of 80 bits. Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which would include all algorithms, regardless of their security level), allow MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1. Related: rhbz#2069239 --- diff --git a/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch b/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch index e6a1925..256cdc8 100644 --- a/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch +++ b/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch @@ -1,4 +1,4 @@ -From f695f140255f9b564cac4d5e9e38ba27ec927256 Mon Sep 17 00:00:00 2001 +From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Tue, 1 Mar 2022 15:44:18 +0100 Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = @@ -26,14 +26,14 @@ default configuration. Related: rhbz#2055796 Related: rhbz#2070977 --- - crypto/x509/x509_vfy.c | 19 ++++++++++- + crypto/x509/x509_vfy.c | 20 ++++++++++- doc/man5/config.pod | 7 ++++ - ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++------- + ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++------- test/recipes/25-test_verify.t | 4 +-- - 4 files changed, 78 insertions(+), 16 deletions(-) + 4 files changed, 82 insertions(+), 16 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 2f175ca517..60aa26f552 100644 +index 2f175ca517..bf0c608839 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -25,6 +25,7 @@ @@ -44,7 +44,7 @@ index 2f175ca517..60aa26f552 100644 #include "crypto/x509.h" #include "x509_local.h" -@@ -3441,14 +3442,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) +@@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) { int secbits = -1; int level = ctx->param->auth_level; @@ -67,17 +67,18 @@ index 2f175ca517..60aa26f552 100644 + if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) return 0; -+ if (nid == NID_sha1 ++ if ((nid == NID_sha1 || nid == NID_md5_sha1) + && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) + && ctx->param->auth_level < 2) + /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. */ ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + return 1; + return secbits >= minbits_table[level - 1]; } diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index 0c9110d28a..02e7ca706f 100644 +index 0c9110d28a..e0516d20b8 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -309,6 +309,13 @@ this option is set to B. Because TLS 1.1 or lower use MD5-SHA1 as @@ -86,16 +87,16 @@ index 0c9110d28a..02e7ca706f 100644 +Note that enabling B will allow TLS signature +algorithms that use SHA1 in security level 1, despite the definition of -+security level 1 of 80 bits of security, which SHA1 does not meet. This -+allows using SHA1 in TLS in the LEGACY crypto-policy on Fedora without -+requiring to set the security level to 0, which would include further insecure -+algorithms. ++security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet. ++This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on ++Fedora without requiring to set the security level to 0, which would include ++further insecure algorithms, and thus restores support for TLS 1.0 and 1.1. + =item B (deprecated) The value is a boolean that can be B or B. If the value is diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index dcd487ec2e..e47ddf56f1 100644 +index dcd487ec2e..0b50266b69 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -20,6 +20,7 @@ @@ -106,7 +107,7 @@ index dcd487ec2e..e47ddf56f1 100644 #include "internal/sslconf.h" #include "internal/nelem.h" #include "internal/sizes.h" -@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) +@@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); return 0; } @@ -124,11 +125,12 @@ index dcd487ec2e..e47ddf56f1 100644 - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); - return 0; + -+ if (lu->hash == NID_sha1 ++ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) + && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) + && SSL_get_security_level(s) < 2) { -+ /* when rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility */ ++ /* When rh-allow-sha1-signatures = yes and security level <= 1, ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + } else { + /* + * Make sure security callback allows algorithm. For historical @@ -147,22 +149,23 @@ index dcd487ec2e..e47ddf56f1 100644 } /* Store the sigalg the peer uses */ s->s3.tmp.peer_sigalg = lu; -@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) +@@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) } } -+ if (lu->hash == NID_sha1 ++ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) + && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) + && SSL_get_security_level(s) < 2) { -+ /* when rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility */ ++ /* When rh-allow-sha1-signatures = yes and security level <= 1, ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + return 1; + } + /* Finally see if security callback allows it */ secbits = sigalg_security_bits(s->ctx, lu); sigalgstr[0] = (lu->sigalg >> 8) & 0xff; -@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) +@@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) { /* Lookup signature algorithm digest */ int secbits, nid, pknid; @@ -171,7 +174,7 @@ index dcd487ec2e..e47ddf56f1 100644 /* Don't check signature if self signed */ if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) return 1; -@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) +@@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) /* If digest NID not defined use signature NID */ if (nid == NID_undef) nid = pknid; @@ -185,13 +188,14 @@ index dcd487ec2e..e47ddf56f1 100644 + else + libctx = OSSL_LIB_CTX_get0_global_default(); + -+ if (nid == NID_sha1 ++ if ((nid == NID_sha1 || nid == NID_md5_sha1) + && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) + && ((s != NULL && SSL_get_security_level(s) < 2) + || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2) + )) + /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. */ ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + return 1; + if (s) diff --git a/0053-Add-SHA1-probes.patch b/0053-Add-SHA1-probes.patch index b146d4a..e0493a3 100644 --- a/0053-Add-SHA1-probes.patch +++ b/0053-Add-SHA1-probes.patch @@ -1,4 +1,4 @@ -From a1905af412163cf971107f51a33dff8b416ab690 Mon Sep 17 00:00:00 2001 +From 428369896db1656af748a67bb36fba039e7b39ad Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Mon, 25 Apr 2022 15:21:46 +0200 Subject: [PATCH] Instrument SHA-1 signatures with USDT probes @@ -11,13 +11,13 @@ This should allow identifying components that still use SHA-1 signatures in production so that they can be transitioned to more modern hash algorithms. --- -crypto/evp/m_sigver.c | 13 +++++++++---- -crypto/evp/pmeth_lib.c | 13 +++++++++---- -crypto/x509/x509_vfy.c | 6 +++++- -providers/common/securitycheck.c | 22 +++++++++++++++------- -providers/common/securitycheck_default.c | 13 +++++++++++-- -ssl/t1_lib.c | 8 +++++++- -6 files changed, 56 insertions(+), 19 deletions(-) + crypto/evp/m_sigver.c | 13 +++++++++---- + crypto/evp/pmeth_lib.c | 13 +++++++++---- + crypto/x509/x509_vfy.c | 6 +++++- + providers/common/securitycheck.c | 22 +++++++++++++++------- + providers/common/securitycheck_default.c | 13 +++++++++++-- + ssl/t1_lib.c | 8 +++++++- + 6 files changed, 56 insertions(+), 19 deletions(-) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 8da2183ce0..c17cdfa5d5 100644 @@ -26,7 +26,7 @@ index 8da2183ce0..c17cdfa5d5 100644 @@ -16,6 +16,8 @@ #include "internal/numbers.h" /* includes SIZE_MAX */ #include "evp_local.h" - + +#include + typedef struct ossl_legacy_digest_signatures_st { @@ -49,21 +49,21 @@ index 8da2183ce0..c17cdfa5d5 100644 + } } } - + diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 3c5a1e6f5d..589a352974 100644 +index b96f148c0d..54fcf24945 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c -@@ -36,6 +36,8 @@ +@@ -37,6 +37,8 @@ #include "internal/sslconf.h" #include "evp_local.h" - + +#include + #ifndef FIPS_MODULE - + static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx, -@@ -954,10 +956,13 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, +@@ -956,10 +958,13 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf) && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) { int mdnid = EVP_MD_nid(md); @@ -80,32 +80,33 @@ index 3c5a1e6f5d..589a352974 100644 + } } } - + diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 60aa26f552..d054acd5a7 100644 +index bf0c608839..78638ce80e 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -29,6 +29,8 @@ #include "crypto/x509.h" #include "x509_local.h" - + +#include + /* CRL score values */ - + #define CRL_SCORE_NOCRITICAL 0x100 /* No unhandled critical extensions */ -@@ -3462,10 +3464,12 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) - - if (nid == NID_sha1 +@@ -3462,11 +3464,13 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) + + if ((nid == NID_sha1 || nid == NID_md5_sha1) && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) - && ctx->param->auth_level < 2) + && ctx->param->auth_level < 2) { + DTRACE_PROBE1(libcrypto, fedora_check_sig_level_1, nid); /* When rh-allow-sha1-signatures = yes and security level <= 1, - * explicitly allow SHA1 for backwards compatibility. */ + * explicitly allow SHA1 for backwards compatibility. Also allow + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ return 1; + } - + return secbits >= minbits_table[level - 1]; } diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c @@ -115,7 +116,7 @@ index e534ad0a5f..bf496450cf 100644 @@ -21,6 +21,8 @@ #include "prov/securitycheck.h" #include "internal/sslconf.h" - + +#include + /* @@ -123,7 +124,7 @@ index e534ad0a5f..bf496450cf 100644 * signing), and for legacy purposes 80 bits (for decryption or verifying). @@ -238,11 +240,14 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ - + #ifndef FIPS_MODULE - if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) - /* SHA1 is globally disabled, check whether we want to locally allow @@ -138,7 +139,7 @@ index e534ad0a5f..bf496450cf 100644 + DTRACE_PROBE1(libcrypto, fedora_ossl_digest_get_approved_nid_with_sha1_1, mdnid); + } #endif - + return mdnid; @@ -258,9 +263,12 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md) #ifndef FIPS_MODULE @@ -155,22 +156,22 @@ index e534ad0a5f..bf496450cf 100644 + } } #endif - + diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c -index ce54a94fbc..ecb3a9d4b6 100644 +index ce54a94fbc..2d21e4a7df 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -17,6 +17,8 @@ #include "internal/nelem.h" #include "internal/sslconf.h" - + +#include + /* Disable the security checks in the default provider */ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) { @@ -40,9 +42,16 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, - + ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0); mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed); + if (mdnid == NID_sha1) @@ -189,47 +190,49 @@ index ce54a94fbc..ecb3a9d4b6 100644 return mdnid; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index e47ddf56f1..a4b9ff749e 100644 +index 0b50266b69..d05e696a28 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -28,6 +28,8 @@ #include "ssl_local.h" #include - + +#include + static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); - -@@ -1568,6 +1570,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) - && SSL_get_security_level(s) < 2) { - /* when rh-allow-sha1-signatures = yes and security level <= 1, - * explicitly allow SHA1 for backwards compatibility */ + +@@ -1569,6 +1571,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) + /* When rh-allow-sha1-signatures = yes and security level <= 1, + * explicitly allow SHA1 for backwards compatibility. Also allow + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + DTRACE_PROBE1(libssl, fedora_tls12_check_peer_sigalg_1, lu->hash); } else { /* * Make sure security callback allows algorithm. For historical -@@ -2120,6 +2123,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) - && SSL_get_security_level(s) < 2) { - /* when rh-allow-sha1-signatures = yes and security level <= 1, - * explicitly allow SHA1 for backwards compatibility */ +@@ -2122,6 +2125,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) + /* When rh-allow-sha1-signatures = yes and security level <= 1, + * explicitly allow SHA1 for backwards compatibility. Also allow + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + DTRACE_PROBE1(libssl, fedora_tls12_sigalg_allowed_1, lu->hash); return 1; } - -@@ -3018,10 +3022,12 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) + +@@ -3020,11 +3024,13 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) && ((s != NULL && SSL_get_security_level(s) < 2) || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2) - )) + )) { /* When rh-allow-sha1-signatures = yes and security level <= 1, - * explicitly allow SHA1 for backwards compatibility. */ + * explicitly allow SHA1 for backwards compatibility. Also allow + * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ + DTRACE_PROBE1(libssl, fedora_ssl_security_cert_sig_1, nid); return 1; + } - + if (s) return ssl_security(s, op, secbits, nid, x); --- +-- 2.35.1 + diff --git a/openssl.spec b/openssl.spec index 289670a..a2ef2e7 100644 --- a/openssl.spec +++ b/openssl.spec @@ -410,6 +410,11 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Wed Apr 27 2022 Clemens Lang - 1:3.0.2-4 +- Support rsa_pkcs1_md5_sha1 in TLS 1.0/1.1 with rh-allow-sha1-signatures = yes + to restore TLS 1.0 and 1.1 support in LEGACY crypto-policy. + Related: rhbz#2069239 + * Tue Apr 26 2022 Alexander Sosedkin - 1:3.0.2-4 - Instrument with USDT probes related to SHA-1 deprecation